Deploy BeyondTrust with Jamf

IndianaChris
New Contributor II

BeyondTrust is telling us that the only way the "support deployment is through ARD." We are not huge fans of ARD. Has anyone been able to deploy with Jamf and the provided DMG? If so do you mind sharing how.

50 REPLIES 50

MTFIDjamf
Contributor II

Which product from BeyondTrust? Thy have bought up a bunch of stuff recently.

IndianaChris
New Contributor II

Great question, we are using the Secure Remote Access Jump Client.

shaquir
Contributor III

Hi @IndianaChris,
If you are referring to installing the remote support client (previously called Bomgar), you can take a look at this thread Deploying Bomgar JumpClient to Macs using Casper

cwaldrip
Valued Contributor

I checked BeyondTrust's web site and they still only list the their old Bomgar documentation about using Automator and ARD to mount a DMG, etc. However the installer is no longer ON a disk image. It's a standalone app (yes, an app... sigh). I'm looking into this too, but it MIGHT be as simple as installing it in /var/tmp/ and using open /var/tmp/Open To Deploy Jump Client.app. You'll probably need a user environment to run it in though.

Edit: Even with running this as root (sudo), there's still a prompt for local credentials to make changes.

dan-snelson
Valued Contributor II

@IndianaChris We're using @mm2270's App Packager for the bomgar-rep-installer.dmg.

cwaldrip
Valued Contributor

Sigh, update. I missed the 'programmatic' download option, which contains sdcust in the applications...

cwaldrip
Valued Contributor

If I run the install manually from the command line...
sudo hdiutil attach /private/var/tmp/bomgar-scc*.dmg
sudo /Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/MacOS/sdcust
...it installs fine.

If I do the same thing in a post-install script as part of a package that puts the dmg in the same place, the splash screen comes up for a while, and it eventually goes away without anything being installed.

I don't understand why and I can't find any type of reference in a log anywhere (looked in console for sdcust, Bomgar, beyond trust, etc).

david_maestre
New Contributor II

Interesting. We use Bomgar/Beyond Trust in our environment for remote support. We don't install any agents -- just a config profile on all machines that will allow the app to do it's thing. We have the use go to a website and click on the technicians name and it will initiate a remote session where the client will download and run a quick package. Allow screen recording and accept the connection. Done.

Kapil
New Contributor III

david_maestre Your method was working fine with Big Sur Mac machines.. So in this case only PPPC is enough and we can able to take remote of user machines without any issues. FYI, We can allow screen recording and accessibility through PPPC itself. Cheers buddy...

cwaldrip
Valued Contributor

@david.maestre but you're not installing the jump client to remote into the machine when a user isn't there. I've got the PPPC setup for most of it, but in 10.15 it prompts to allow screen recording, which I'd think happens even with user-initiated sessions...

torreiw
New Contributor

@cwaldrip This is correct we've tried remote portal and it does prompt to allow screen recording which then requires the user to restart the remote session before control can be had. We have upgraded our base to 6.1 and jump agents to 20.1.1. We now see the .app and have tried multiple ways to deploy and run a post script to install the .app installer without success. Has anyone figured this out as I have an open case with Bomgar with no pathway to success yet.

jtrant
Valued Contributor

Is the issue you're experiencing around the screen recording prompt, or getting the jump client installer to work?

If the former, this is a macOS restriction in Catalina and above, and I'm not aware of a workaround. If the latter, I'd be happy to share my postinstall script. It did take a bit of trial and error to get it working, main thing is to make your installers valid for a year (the maximum) or you'll find yourself re-packaging it a lot.

KyleEricson
Valued Contributor II

@IndianaChris Look at this script to deploy this.

Steps:
1. Create the jump client dmg from the Bomgar console
2. Create policy in Jamf to Cache the dmg and run this script after.
3. Scope and deploy.

#!/bin/sh

# The Bomgar DMG should have been installed cached prior to this script running, but we should make sure...

if [ -a "/Library/Application Support/JAMF/Waiting Room/bomgar-scc-"*".dmg" ]; then

# Attach the Disk Image
    hdiutil attach /Library/Application Support/JAMF/Waiting Room/bomgar-scc-*.dmg

# Run the installer
    /Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/MacOS/sdcust

# Wait a minute for it to finish up
    sleep 90

# Unmount the disk image
    hdiutil detach /Volumes/bomgar-scc

# Wait for the unmount to complete
    sleep 25

# Delete the disk image
    rm -R /Library/Application Support/JAMF/Waiting Room/bomgar-scc-*.dmg


else

echo "Bomgar NOT Present"
exit 1

fi
exit 0
Read My Blog: https://www.ericsontech.com

jimmychi
New Contributor

@kericson when I use that script the jump client installs correctly but the the security/privacy preferences aren't set. Was wondering what would be the best way to set those item when installing the actual jump client using that script?

jimmychi
New Contributor

Here is the script I'm running:

#!/bin/bash

BOMGAR_URL='https://it-fileshare-files-179wwtfhkyps2.s3-us-west-2.amazonaws.com/IT/Mac/BomgarProgrammatic.dmg'
DMG_PATH='/tmp/BomgarProgrammatic.dmg'

/usr/bin/curl --silent "${BOMGAR_URL}" --output "${DMG_PATH}"

# The Bomgar DMG should have been installed cached prior to this script running, but we should make sure...

if [ -a "${DMG_PATH}" ]; then

# Attach the Disk Image
    hdiutil attach "${DMG_PATH}"

# # Run the installer
    /Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/MacOS/sdcust --silent

# # Wait a minute for it to finish up
#     sleep 60

# # Unmount the disk image
#     hdiutil detach /Volumes/bomgar-scc

# # Wait for the unmount to complete
#     sleep 15

# # Delete the disk image
   # rm -R "${DMG_PATH}"


else

echo "Bomgar NOT Present"

fi

jimmychi
New Contributor

I'm then receiving this error output:

Script result: Checksumming Protective Master Boot Record (MBR : 0)…
Protective Master Boot Record (MBR :: verified   CRC32 $E2F8D74C
Checksumming GPT Header (Primary GPT Header : 1)…
 GPT Header (Primary GPT Header : 1): verified   CRC32 $6E0A0204
Checksumming GPT Partition Data (Primary GPT Table : 2)…
GPT Partition Data (Primary GPT Tabl: verified   CRC32 $E4C3873D
Checksumming  (Apple_Free : 3)…
                    (Apple_Free : 3): verified   CRC32 $00000000
Checksumming disk image (Apple_HFS : 4)…
          disk image (Apple_HFS : 4): verified   CRC32 $F182C998
Checksumming  (Apple_Free : 5)…
                    (Apple_Free : 5): verified   CRC32 $00000000
Checksumming GPT Partition Data (Backup GPT Table : 6)…
GPT Partition Data (Backup GPT Table: verified   CRC32 $E4C3873D
Checksumming GPT Header (Backup GPT Header : 7)…
  GPT Header (Backup GPT Header : 7): verified   CRC32 $1AECF169
verified   CRC32 $FF3EC199
/dev/disk2              GUID_partition_scheme           
/dev/disk2s1            Apple_HFS                       /Volumes/bomgar-scc
20201202 18:43:32 999999 19811:main(19affdc0) UTIL:INFO>license file: '/Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/Resources/server.lic'

Let me know if anyone has any insights

KyleEricson
Valued Contributor II

@jimmychi Which script are you using? The security/privacy preferences can't only be set with a PPPC profile and one part the user has to approve no way to automate per Apple.

Read My Blog: https://www.ericsontech.com

jimmychi
New Contributor

@kericson I'm using the following script:

#!/bin/bash

BOMGAR_URL='https://it-fileshare-files-179wwtfhkyps2.s3-us-west-2.amazonaws.com/IT/Mac/BomgarProgrammatic.dmg'
DMG_PATH='/tmp/BomgarProgrammatic.dmg'

/usr/bin/curl --silent "${BOMGAR_URL}" --output "${DMG_PATH}"

# The Bomgar DMG should have been installed cached prior to this script running, but we should make sure...

if [ -a "${DMG_PATH}" ]; then

# Attach the Disk Image
    hdiutil attach "${DMG_PATH}"

# # Run the installer
    /Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/MacOS/sdcust --silent

# # Wait a minute for it to finish up
#     sleep 60

# # Unmount the disk image
#     hdiutil detach /Volumes/bomgar-scc

# # Wait for the unmount to complete
#     sleep 15

# # Delete the disk image
   # rm -R "${DMG_PATH}"


else

echo "Bomgar NOT Present"

fi

Previously that script worked for us and we didn't have to set any security/privacy preferences so was trying to fix it but to no success. Was wondering how we would set the PPPC profile for screen recording and to allow the bomgar jump client?

guillaumegete
New Contributor III

@jimmychi You can't pre-authorize screen recording for any app. The use MUST authorize screen recording. Hard limit from Apple.

BTW, I managed to deploy Remote support button through Self Service, but it seems to fail with the same kind of error when mass deploying the Remote support button, because the install is done in root context when there is no session opened. Bummer.

abnaau
New Contributor III

Our script, similar to the above, used to work fine for installing the Jump Client - and still does - just not for Big Sur.

During installation on Big Sur the user runs into the dialog:

"Double-Click To Start Support Session" can't be opened because Apple cannot check it for malicious software. This software needs to be updated. Contact the developer for more information.

Really? They posted Big Sur support in the release notes but gave us no way to install via MDM? Is there any way around this via Jamf?

abnaau
New Contributor III

Allow me to answer my own question. The app can be pulled out of quarantine manually.

Added to the script - copy the app to /tmp/ and remove it from quarantine and then run it from there instead of the volume.

cp -R '/Volumes/foobar/Double-Click To Start Support Session.app' '/tmp/Double-Click To Start Support Session.app'
xattr -d com.apple.quarantine '/tmp/Double-Click To Start Support Session.app'

applebravo
New Contributor II

Thanks @abnaau ! This really helped us out getting BigSur/Monterey to work...

We used this script:

#Attach the Cached DMG from tmp folder

hdiutil attach /tmp/bomgar/bomgarxxxxxxx.dmg

# copy app to tmp folder

cp -R '/Volumes/bomgarxxxx/Double-Click To Start Support Session.app' '/tmp/Double-Click To Start Support Session.app'

# Allow bomgar app to open

xattr -d com.apple.quarantine '/tmp/Double-Click To Start Support Session.app'

# Run sdcust to install Jump Client

/tmp/Double-Click\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent

patgmac
Contributor III

If you're on the MacAdmins Slack, join the Bomgar channel. A BeyondTrust employee posted a PDF that will eventually replace the KB article on the BeyondTrust site for mass deployment.

Here's a direct link: https://macadmins.slack.com/archives/CEH9Y26D6/p1606838240060700

techdan
New Contributor II

There is misinformation in this document. The process is correct, however the file path specified for the DMG file is incorrect. The workflow of caching a package (or in this case a DMG file) start by downloading into "/Library/Application Support/JAMF/Downloads" and then once completed the file moves to "/Library/Application Support/JAMF/Waiting Room". The document specifies the Downloads folder, however the actual path is in the Waiting Room folder. 

sgiesbrecht
Contributor III

@patgmac I don't have an acct to that slack workspace. Can you copy the PDF here please

patgmac
Contributor III

@sgiesbrecht there is no way to attach files here. It's free to sign up for that Slack and it's a great place to hang out and get help.

JYDP1
New Contributor III

Can't access the direct link for Slack.

Any more hints for this problem ?

sgiesbrecht
Contributor III

@JYDP1 
I'd created a package with the Preinstall and Postinstall scripts from Franton (Richard Purves)

 

Created a MacOS (for Programmatic Installation) from you BEYONDTRUST Admin

 

On Composer

  1. Created a temp folder in your favorite location (mine is /tmp)
  2. Copy the BeyondTrust Jump Client DMG into the Temp folder
  3. Copy franton_s_bomgar_postinstall.sh in the Temp folder
  4. Launch Composer
  5. Create a new package with no changes
  6. Import the Temp folder into the package - should look like Image 1
  7. Expand the package to right click the Scripts option
  8. Select Add Shell Script > Preinstall
  9. Copy and paste franton’s Bomgar preinstall.sh into the preinstall.sh – should look like Image 2.  This will remove all previous versions of BeyondTrust / Bomgar jump client so you won’t have multiple copies of jump clients)
  10. Select Add Shell Script > Postinstall
  11. Enter the execute command to run the Temp folder/franton_s_bomgar_postinstall.sh – should look like image 3
  12. Package it up in a PKG file and add to Jamf Admin

 

On Jamf Console

  1. Create a Policy with the new package and deploy – should look like Image 4

 

Always do alpha then beta testing before deploying globally

 

Note, franton_xxxx.sh scripts are the original and SMG_xxxx.sh are frantons with my tweaks to make work on my system

Image 1.png

Image 2.png

Image 3.png

Image 4.png

    

 

#!/bin/bash

# Preinstall script for Bomgar Jump Client
# Author - Richard Purves

# Find any existing Bomgar pkg install receipts and forget them
pkgutil --forget "$( pkgutil --pkgs | grep com.therealreal.pkg.BomgarClient )"

# Find the existing Bomgar install in /Users then run the uninstall command
sd=$( find /Users/Shared /Applications -iname "sdcust" -type f -maxdepth 5 )
[ -f "$sd" ] && "$sd" -uninstall silent

# This is the manual cleanup process in case the previous command didn't work

# Are there any LaunchAgents from a previous install?
test=$( /usr/bin/find /Library/LaunchAgents -iname "com.bomgar.bomgar*.plist" | wc -l | awk '{ print $1 }' )

# More than zero means we have work to do
if [ "$test" -gt 0 ];
then

	# Attempt to unload all the launchd agents and daemons
	/usr/bin/find /Library/LaunchAgents -iname "com.bomgar*.plist" -type f -exec bash -c '/bin/launchctl unload $@' _ {} +
	/usr/bin/find /Library/LaunchDaemons -iname "com.bomgar*.plist" -type f -exec bash -c '/bin/launchctl unload $@' _ {} +

	# Remove all the launchd agents and daemons
	/usr/bin/find /Library/LaunchAgents -iname "com.bomgar*.plist" -exec rm -rf {} \;
	/usr/bin/find /Library/LaunchDaemons -iname "com.bomgar*.plist" -exec rm -rf {} \;
	
	# Remove any existing install folders
	rm -rf /Users/Shared/bomgar-scc*
	rm -rf /Applications/.com.bomgar*
	
	# Finally kill any running processes
	/bin/ps -ax | /usr/bin/grep 'bomg*' | /usr/bin/grep -v grep | /usr/bin/awk '{ print $1 }' | /usr/bin/xargs kill
fi

# Ready to proceed
exit 0
#!/bin/bash

# Postinstall script for Bomgar Jump Client
# Author - Richard Purves

# Work out what folder we're operating from
installdir=$( /usr/bin/dirname $0 )

# Find the dmg we're going to process. We're set up only to do one diskimage in this script.
diskimage=$( /usr/bin/find "$installdir" -iname "*.dmg" -type f -maxdepth 1 -print -quit )

# Create a temporary folder to mount the dmg to.
tmpmnt=$( /usr/bin/mktemp -d /private/tmp/tempinstall.XXXXXX )

# Error check to see if temporary folder was created. Fail out if not. Unlikely.
if [ $? -ne 0 ];
then
	echo "$0: Cannot create temporary folder. Exiting."
	exit 1
fi

# Mount the dmg into the temporary folder we just created. Make sure it doesn't annoy the user by hiding what it's doing.
/usr/bin/hdiutil attach "$diskimage" -mountpoint "$tmpmnt" -nobrowse -noverify -noautoopen

# Find the path of the binary we're looking for
sdc=$( /usr/bin/find "$tmpmnt" -iname "sdcust" -type f )

# Run the install binary
"$sdc" --silent
sleep 60

# Unmount the disk image
/usr/bin/hdiutil detach "$tmpmnt"

# Remove the temporary mount point. It should be automatic but this will catch if it's not.
rm -rf "$tmpmnt"

exit
#!/bin/bash
## postinstall
## SMG_postinstall.sh 

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

/tmp/BTInstall/postinstall.sh /tmp/BTInstall.log
rm -rf /tmp/BTInstall

exit 0		## Success
exit 1		## Failure
#!/bin/bash
## preinstall
## SMG_Preinstall.sh

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

# Preinstall script for Bomgar Jump Client
# Author - Richard Purves

# Find any existing Bomgar pkg install receipts and forget them
# Updated package search for beyondtrust - SMG - 2021-11-29
BTpkg=$( pkgutil --pkgs | grep beyondtrust )
pkgutil --forget $BTpkg

# Find the existing Bomgar install in /Users then run the uninstall command
sd=$( find /Users/Shared /Applications -iname "sdcust" -type f -maxdepth 5 )
[ -f "$sd" ] && "$sd" -uninstall silent

# This is the manual cleanup process in case the previous command didn't work

# Are there any LaunchAgents from a previous install?
test=$( /usr/bin/find /Library/LaunchAgents -iname "com.bomgar.bomgar*.plist" | wc -l | awk '{ print $1 }' )

# More than zero means we have work to do
if [ "$test" -gt 0 ];
then

	# Attempt to unload all the launchd agents and daemons
	/usr/bin/find /Library/LaunchAgents -iname "com.bomgar*.plist" -type f -exec bash -c '/bin/launchctl unload $@' _ {} +
	/usr/bin/find /Library/LaunchDaemons -iname "com.bomgar*.plist" -type f -exec bash -c '/bin/launchctl unload $@' _ {} +

	# Remove all the launchd agents and daemons
	/usr/bin/find /Library/LaunchAgents -iname "com.bomgar*.plist" -exec rm -rf {} \;
	/usr/bin/find /Library/LaunchDaemons -iname "com.bomgar*.plist" -exec rm -rf {} \;
	
	# Remove any existing install folders
	rm -rf /Users/Shared/bomgar-scc*
	rm -rf /Applications/.com.bomgar*
	
	# Finally kill any running processes
	/bin/ps -ax | /usr/bin/grep 'bomg*' | /usr/bin/grep -v grep | /usr/bin/awk '{ print $1 }' | /usr/bin/xargs kill
fi

exit 0		## Success
exit 1		## Failure

 

Artoom1213
New Contributor

Because Beyond Trust doesnt install to the Applications folder the conventional way, has anyone found a good solution to an extension attribute to create a Smart Group off of?

KyleEricson
Valued Contributor II

Thanks for the help with this. I see where my script was lacking. Most appreciated.

techdan
New Contributor II

Ignore

dwynn
New Contributor III

I spent a lot of time trying to create a policy to deploy BeyondTrust Remote using the above methods. Here is what worked for me. Thank you to the #bomgar Slack channel. Page 21

 

Deploying the Jump Client

JYDP1
New Contributor III

Hey, been testing your script, but, the DMG file appears in the Downloads folder in Library/JAMF
Then disappears. 

There is no Waiting Room subfolder in this folder. So Hdiutil fails, and so on

dwynn
New Contributor III

Here is the script I use. Make sure the .pkg in the Packages payload is set to cache in the policy.

 

 

 

#!/bin/zsh

# Mount Remote Support DMG
hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/bomgar-scc-(serial).dmg

# Run sdcust to install Jump Client
sudo /Volumes/bomgar-scc/Double\-Click\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent

# optional sleep to ensure DMG unmounted and install process complete
sleep 15

Captainamerica
Contributor II

Anyone managed to get beyond trust jump client working ?- Beyondtrust support reply is they have no documentation for jamf but only for ARD - not very modern approach.

So what I tried the following script, where I first cache the DMG


#!/bin/bash

# The Bomgar DMG should have been installed cached prior to this script running, but we should make sure...

# Attach the Disk Image
    
    hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/bomgar-scc-w0eec30d5xxxxxxxxxxxx.dmg

# Run the installer
    /Volumes/bomgar-scc/Double-Click\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust

# Wait a minute for it to finish up
    sleep 120

# Unmount the disk image
#    hdiutil detach /Volumes/bomgar-scc

# Wait for the unmount to complete
#    sleep 15

 

Jamf policy completes without any errors - but when looking in the policy it looks like this


Captainamerica_0-1652267243579.png

 

dwynn
New Contributor III

Here is what works for me.

 

#!/bin/zsh

# Mount Remote Support DMG
hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/bomgar-scc-xxxxxxxxxxxx.dmg

# Run sdcust to install Jump Client
sudo /Volumes/bomgar-scc/Double\-Click\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent

# optional sleep to ensure DMG unmounted and install process complete
sleep 15

Captainamerica
Contributor II

yes - the exact same as mine.

How does you jamf policy looks when this has been executed - just wondering why I get the "attach failed" and it works fine when I do it manually

Captainamerica
Contributor II

And the dmg file is that the one you got direct from the download from beyondtrust portal or something you re-packed on your own